In response to Joe Weiss' blog post of Jan. 19, I totally disagree about NERC CIP not making the grid more secure or reliable. Just a few reasons. I have seen where control systems were operated without malware and ultimately became infected. At least NERC CIP forces utilities to adopt best operating practices for cybersecurity. I know there are a lot of the rules that don't seem to make sense, but they are many times a compromise on what is practical. Control systems are not always patched as recommended by Microsoft. NERC CIP pushes the utility to patch as regularly as practical. Even the vendors of control systems have had to learn their systems better as they are pressed by their customers to document the used ports and services and pare down the unused. Changing passwords and disabling default accounts are but a few of the many best practices that are being pushed by NERC CIP. It is truly my belief that if not pushed by NERC CIP, many utility companies would not adopt best practices and would be very vulnerable and insecure. The rules and regulations are not perfect, but as with any law or rule, it is a compromise. The only way I see that NERC CIP does not make the grid more secure and reliable is if the rules are not followed or [if they are] circumvented.
Gregory Bryant
Duke Energy
[email protected]
[javascriptSnippet]